cbcvebase.
CVE-2021-36711
published 2022-07-16

CVE-2021-36711: WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.08%
95.6th percentile
WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.

Affected

2 ranges
VendorProductVersion rangeFixed in
octobotoctobot< 0.4.40.4.4
octobotoctobot>= 0 < 0.4.40.4.4

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://{RHOST}:{RPORT}/api/version
urlhttp://{RHOST}:{RPORT}/commands/restart
urlhttp://{RHOST}:{RPORT}/advanced/tentacle_packages?update_type=add_package
urlhttps://static.octobot.online/tentacles/officials/packages/full/base/{octobotVersion}/any_platform.zip
pathreference_tentacles/Services/Interfaces/web_interface/api/metadata.py
  • Detect POST requests to /advanced/tentacle_packages?update_type=add_package with Content-Type: application/json and X-Requested-With: XMLHttpRequest headers, containing a JSON body with a remote ZIP URL mapped to 'register_and_install'.
  • Alert on HTTP requests to /api/sashimi with LHOST and LPORT query parameters, which triggers the injected reverse shell endpoint.
  • Monitor for outbound connections from the OctoBot process to anonfiles.com, used by the exploit to stage the malicious ZIP payload.
  • Flag GET requests to /commands/restart immediately following a Tentacle package upload, as the exploit restarts OctoBot to activate the injected backdoor.
  • Inspect uploaded ZIP packages to OctoBot for the presence of modified reference_tentacles/Services/Interfaces/web_interface/api/metadata.py containing socket/pty reverse shell code.
  • ·The exploit only works against OctoBot instances with no password protection; a 302/non-200 response to the root URL indicates the instance is password-protected and the exploit will abort.
  • ·Affected versions are OctoBot 0.4.0beta3 through 0.4.3; versions 0.4.4 and above are patched.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.